FREE DM Review Site Registration!
Sign-up today and access DM Review on the Web!

Your FREE registration entitles you to:
FREE email newsletters

FREE access to all DM Review content

FREE access to web seminars, resource portals, our white paper library and more!

   

Compliance Management and FRCP Rule Amendments: The IT Perspective

CIOs are faced with multitude regulatory requirements in regards to enterprise data, such as Graham-Leach-Bliley, Sarbanes-Oxley, HIPAA, the Patriot Act and Basel II. If you carefully analyze each of these requirements from IT perspective, they broadly fall into following two categories: data retention and data auditing.

Before I discuss those, let's first define data. All data that is created or used in an organization, be it an email, an instant message or a document, constitutes a business record for the organization.

Data Retention. Every organization needs a data retention policy, which should cover the lifespan of records and information that one holds, from creation to destruction. The policy should not just cover the laws and regulations but should also deal with lawsuits and discovery requests. Further, it needs to demonstrate a secure storage environment for all enterprise data, and that data needs to be searchable and retrievable in a timely manner. In order to build the policy, you have to survey your organization's legal landscape, determine what is really required and team up with the right people to build an information retention policy. In general, the best practice for data retention is about seven years, but that can go longer depending on the industry, type of organization and type of information. For instance, in health care, pharmaceuticals and insurance, the retention periods can be longer.

Data Auditing. Proving accountability requires not only that all data be monitored but also that complete records of access and use be available. Those records create the audit trail. The audit trail shows who did what, when and how, records anomalies, proves compliance and provides assurance that data is used only in intended and appropriate ways. Creating a comprehensive, perpetual audit provides an organization with a system to identify data losses that otherwise often go undetected. In order to do this, one needs to capture data access records, tracking all data access and modification by any means. It should also record structural changes to the database schema and the changes to the permissions that control data access. A complete record of data access, changes to data, and database structure such as logins and permissions, and data audit enables organizations to verify and demonstrate adherence to security policies and compliance imperatives. Further, the auditing has to capture the activity of privileged users, such as database administrators and IT managers. Capturing audit data across all users creates a comprehensive audit system for an organization.

Most digital attacks originate from inside an organization. Data auditing provides a means to catch those wrongdoers. Most fraud is not based on illicit access to production system but rather access to training/testing/development systems, where all the data is available. Most enterprises copy the production system to training/testing/development, including HR records, credit card information and payroll records, due to the complexity of building masking algorithms while preserving the data integrity of the system so it can function for the testing/development need. Some companies provide technology to create smaller data subsets for the testing/training/development system while masking the confidential data and preserving the data integrity of the system.

FRCP - Electronic Discovery Rule Amendments

The new Federal Rules of Civil Procedure (FRCP), which took effect on December 1, 2006, have implications to the enterprise, and data retention policies and data auditing can help. These are set of do's and don'ts that govern the conduct and procedure of all civil actions in federal district courts. They do not apply to suits in state courts, although the rules of many states have been closely modeled on these provisions.

The new rules primarily change the landscape of legal discovery in a civil lawsuit. Typical inquires are done through depositions, interrogatories and request for documents, and there is no Fifth Amendment right for organizations.

  • Rule 33 - Response to Interrogatories allows a response to an interrogatory (i.e., a series of written questions) to be electronic data or electronic documents. Currently, interrogatories are either answered in writing or by submitting a written document. Having data audit for the data that is being produced for an interrogatory helps in fighting the case with conviction.
  • Rule 26(b)(2) - Reasonably Accessible Info requires production of electronic data which is reasonably accessible. While the meaning of "reasonably accessible" data is debatable, having an adequate policy on data retention does help in preparing for this.
  • Rule 37(f) - Safe Harbor Provision limits sanctions if discoverable electronic data is lost due to routine operations. Having a policy and showing activities on the policy being used across the organization can help in defending against sanctions.

In summary, having a sound data retention policy and a system that can help in information lifecycle management (ILM) objectives can enable data retention, and data auditing policies can not only help meet compliance requirements, but also effectively manage lawsuits and e-discovery requests.


Sai Gundavelli is the founder and CEO of Solix Technologies. Gundavelli is responsible for the company's overall vision and strategic direction. He has a proven track record in recognizing and quickly responding to the requirements of the high-tech marketplace and is the founder of many successful startups including Emagia Corporation, SITI Corporation and Digiprise, Inc. Prior to founding Solix technologies, Gundavelli spearheaded several strategic initiatives in enterprise application areas at CISCO Systems and Arix Corp. He may be reached at sai.gundavelli@solix.com.

For more information on related topics, visit the following channels:



Industry Vendors